b'Audit\nReport\n            DOD FINANCIAL AND FEEDER SYSTEMS\n                   COMPLIANCE PROCESS\n\nReport No. D-2002-044                 January 29, 2002\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General, DoD,\n  Home Page at www.dodig.osd.mil/audit/reports or contact the Secondary Reports\n  Distribution Unit of the Audit Followup and Technical Support Directorate at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nDFAS                  Defense Finance and Accounting Service\nDLA                   Defense Logistics Agency\nFMIP                  Financial Management Improvement Plan\nGAO                   General Accounting Office\nJFMIP                 Joint Financial Management Improvement Program\nODO                   Other Defense Organization\nOMB                   Office of Management and Budget\nOUSD (C)              Office of Under Secretary of Defense (Comptroller)\nUSD (C)               Under Secretary of Defense (Comptroller)\n\x0c\x0c                       Office of the Inspector General, DoD\nReport No. D-2002-044                                                 January 29, 2002\n  (Project No. D2001FG-0085)\n\n         DoD Financial and Feeder Systems Compliance Process\n\n                               Executive Summary\n\nIntroduction. The Federal Financial Management Improvement Act of 1996 mandates\nthat financial management systems comply with Federal financial system requirements,\nFederal accounting standards, and the U.S. Standard General Ledger at the transaction\nlevel. Within DoD, those three mandates are generally referred to as Federal financial\nmanagement systems requirements. In January 2001, DoD identified 187 critical\nsystems and initiatives, and estimated that it will cost approximately $3.7 billion to\ncorrect system deficiencies and result in systems that are compliant with Federal\nfinancial management systems requirements.\n\nOn January 5, 2001, the Under Secretary of Defense (Comptroller) issued a\nmemorandum formally approving the DoD Financial and Feeder Systems Compliance\nProcess for implementation within the DoD. The DoD Financial and Feeder Systems\nCompliance Process goal is to ensure compliance with applicable Federal financial\nmanagement systems requirements and enhance system\xe2\x80\x99s capabilities to provide timely\nand accurate financial data to senior DoD managers to aid decision making. On\nJuly 19, 2001, the Secretary of Defense established the DoD Financial Management\nModernization Program and identified reliable and timely financial management\ninformation to make effective business decisions as one of his highest priorities. Under\nthis direction, a DoD-wide blue print will be developed that prescribes how DoD\nfinancial and non-financial feeder systems will interact. The National Defense\nAuthorization Act for FY 2002 mandates that DoD establish a DoD financial and feeder\nsystems compliance process and the Financial Management Modernization Executive\nCommittee. The Under Secretary of Defense (Comptroller) issued a memorandum on\nOctober 12, 2001, to formally establish this Financial Management Modernization\nExecutive Committee to oversee the modernization effort. This committee will also\nprovide oversight to the DoD Financial and Feeder Systems Compliance Process.\n\nObjectives. Our objective was to determine the effectiveness of the DoD Financial and\nFeeder Systems Compliance Process to address compliance with applicable Federal\nfinancial management systems requirements. Specifically, we determined whether the\nDoD Financial and Feeder Systems Compliance Process would achieve compliance of\nboth individual and integrated systems.\n\nResults. The DoD Financial and Feeder Systems Compliance Process had not been\nfully implemented throughout DoD. The Air Force and the Defense Finance and\nAccounting Service had completed substantial work in implementing their own\nYear 2000-like compliance processes. However, the Army, Navy, Air Force, Defense\nFinance and Accounting Service, Defense Logistics Agency, and 12 Other Defense\n\x0corganizations needed to do more work toward implementing the DoD Financial and\nFeeder Systems Compliance Process. The Army, Navy, Air Force, Defense Finance\nand Accounting Service, and Defense Logistics Agency:\n\n       l   had started but had not completed data mapping, and\n       l   had not completed a critical inventory list.\n\nThe Army, Navy, Air Force, and Defense Finance and Accounting Service had issued\nguidance. We contacted nine Other Defense Organizations outside the DoD\nIntelligence community and three inside the DoD Intelligence community. Of the nine\nOther Defense Organizations, personnel from four were not aware of the DoD\nFinancial and Feeder Systems Compliance Process, and five stated that their agency\nwas aware of the memo, but only one stated that the memo had been implemented.\nThis occurred because the Under Secretary of Defense (Comptroller) did not have\nsufficient authority over the Military Departments and Defense agencies to effectively\nimplement the DoD Compliance Process. As a result, progress toward attaining\ncompliance with Federal and DoD financial management systems requirements had\nbeen slow, although new legislation for FY 2002 and DoD initiatives are intended to\nprovide more effective management oversight in the future. For details of the audit\nresults, see the Finding section of this report.\n\nSummary of Recommendations. We recommend that the Under Secretary of Defense\n(Comptroller) institutionalize the compliance process established under the National\nDefense Authorization Act for FY 2002 in an appropriate DoD issuance. We also\nrecommend the Under Secretary of Defense (Comptroller) establish and implement\nmechanisms to appropriately monitor the compliance process established under the\nNational Defense Authorization Act for FY 2002. Additionally, we recommend that\nthe Under Secretary of Defense (Comptroller) provide a clear definition of criticality\nand ensure that adequate guidance for compliance of commercial software is provided.\nWe recommend that the Director, Defense Finance and Accounting Service provide\ndetailed coverage of requirements for data standardization and general controls in \xe2\x80\x9cA\nGuide to Federal Requirements for Financial Management Systems.\xe2\x80\x9d\n\nManagement Comments. The Acting Deputy Chief Financial Officer, Office of the\nUnder Secretary of Defense (Comptroller) agreed to formalize the Compliance Process\nin a DoD issuance, establish a data repository to monitor the Compliance Process, and\nprovide the appropriate scope and language for the systems certification. The Office of\nthe Under Secretary partially concurred to providing a clear definition of criticality.\nThe Office of the Under Secretary also agreed to provide commercial software\nguidance. The Director of Systems Integration, Defense Finance and Accounting\nService stated that they will provide detailed coverage of data standardization and\ngeneral control requirements in \xe2\x80\x9cA Guide to Federal Requirements for Financial\nManagement Systems.\xe2\x80\x9d A discussion of the management comments is in the Finding\nsection of the report, and the complete text is in the Management Comments section.\n\nAudit Response. The Under Secretary of Defense (Comptroller) and the Director of\nSystems Integration, Defense Finance and Accounting Service were responsive to the\nrecommendations. Therefore, no further comments are required.\n\n\n\n\n                                           ii\n\x0cTable of Contents\n\nExecutive Summary\n\nIntroduction\n     Background                                                           1\n     Objectives                                                           3\n\nFinding\n     Status of the DoD Financial and Feeder Systems Compliance Process   4\n\nAppendixes\n     A. Audit Process\n          Scope                                                          17\n          Methodology                                                    18\n          Prior Coverage                                                 18\n     B. The DoD Compliance Process                                       19\n     C. Other Defense Organization Status                                20\n     D. Report Distribution                                              21\n\nManagement Comments\n     Under Secretary of Defense (Comptroller)                            23\n     Defense Finance and Accounting Service                              27\n\x0cBackground\n           This audit was conducted pursuant to the responsibility of the Inspector General,\n           DoD, under the Federal Financial Management Improvement Act of 1996 to\n           assess the progress made toward substantial system compliance with applicable\n           guidelines and standards. This report discusses the effectiveness of the DoD\n           Financial and Feeder Systems Compliance Process (DoD Compliance Process).\n\n           History of DoD Financial Management Systems. DoD has had long standing\n           financial management problems chronicled by the General Accounting Office\n           (GAO) and Inspector General, DoD, audit reports that document systemic\n           system deficiencies. DoD acknowledged that their financial management\n           systems are flawed with decade-old problems and lack the capability to provide\n           reliable and timely information to DoD decision-makers. Also, DoD\n           acknowledged that most systems do not comply with Federal financial\n           management systems requirements.\n\n           Responsibility for DoD Financial Management Systems. The Under\n           Secretary of Defense (Comptroller) [USD (C)] is responsible for the\n           development, oversight, and implementation of DoD financial reporting policy.\n           The Defense Finance and Accounting Service (DFAS), under the authority of\n           the USD (C), owns and operates 56 of the DoD accounting and finance systems\n           and initiatives identified in the FY 2000 Financial Management Improvement\n           Plan (FMIP). DFAS is responsible for implementing, modifying, and\n           maintaining those systems. DFAS is also responsible for providing the Military\n           Departments and Defense agencies (DoD Components) with consultative\n           guidance and is jointly responsible for ensuring that DoD Component systems\n           interact effectively with DFAS systems. DoD Components are responsible for\n           implementing, modifying, and maintaining the feeder systems that provide\n           significant amounts of data to the DFAS systems.\n\n           DoD Financial and Feeder System Compliance Process. In 2000, the Office\n           of Under Secretary of Defense (Comptroller) [OUSD (C)] began efforts to\n           institute a Year 2000-like management approach to the DoD Compliance\n           Process1. On January 5, 2001, the USD (C) issued a memorandum formally\n           approving the DoD Compliance Process for implementation within DoD. The\n           DoD Compliance Process goal is to ensure that critical financial and feeder\n           systems are compliant with applicable Federal financial management systems\n           requirements. The DoD Compliance Process will enhance the system\xe2\x80\x99s\n           capabilities to provide timely and accurate financial data to aid decision making.\n           The DoD Compliance Process also identifies individual roles and responsibilities\n           of the Senior Financial Management Oversight Council (Council) and DoD\n           Components.\n\n\n\n1\n    Inspector General, DoD, Report No. D-2001-175, \xe2\x80\x9cApplication of Year 2000 Lessons Learned,\xe2\x80\x9d\n     August 22, 2001.\n                                                   1\n\x0c                  Senior Financial Management Oversight Council. The memorandum\n           formally approved and established the Council as the governing body of the\n           DoD Compliance Process. The memorandum also establishes the USD (C) as\n           Council Chair, Council membership, and its responsibilities, to include\n           overseeing a working group and verifying that exit criteria for each system has\n           been completed.\n\n                   DoD Components. DoD Components are responsible for ensuring that\n           their systems comply with applicable Federal and DoD financial management\n           requirements. DoD Components shall implement the five phases of the DoD\n           Compliance Process and develop corresponding funding plans for each critical\n           accounting, finance and feeder system. DoD Components are also responsible\n           for obtaining independent system validations from the Inspector General, DoD;\n           a consulting firm; or their respective audit agency.\n\n           The Five Phases. The DoD Compliance Process (modeled after the Year 2000\n           process) consists of five phases with defined exit criteria. The five phases are\n           Awareness, Evaluation, Renovation, Validation, and Compliance. The defined\n           exit criteria should be met before a system can advance from one phase to the\n           next. The DoD Compliance Process states that the DFAS "A Guide to Federal\n           Requirements for Financial Management Systems2" (Blue Book) shall be the\n           guidance a system is evaluated against prior to entering the next phase. See\n           Appendix B for a detailed discussion of the five phases of the DoD\n           Compliance Process.\n\n           Blue Book. The DoD Compliance Process establishes the Blue Book as the\n           primary source of guidance in determining system compliance. The Blue Book\n           is an extensive compilation of Federal and DoD requirements applicable to the\n           DoD finance, accounting and feeder systems. The Blue Book contains\n           numerous requirements issued by Office of Management and Budget (OMB),\n           GAO, Department of Treasury, Joint Financial Management Improvement\n           Program (JFMIP), and DoD. The Blue Book is organized into 15 major\n           categories of requirements including general ledger, financial reporting,\n           inventory, and travel. As such, the Blue Book is a valuable guide that can be\n           used to assist systems managers in determining whether their systems\n           substantially comply with Federal financial management systems requirements.\n\n           DoD Financial Management Modernization Program. On June 27, 2001,\n           DoD requested $100 million of FY 2002 funds for the development of a DoD-\n           wide management systems enterprise architecture and the definition of standard\n           data requirements. On July 19, 2001, the Secretary of Defense issued a\n           memorandum establishing the DoD Financial Management Modernization\n           Program. The requested $100 million is to fund the DoD Financial\n           Management Modernization Program efforts. The USD (C) in coordination\n           with the Under Secretary of Defense for Acquisition, Technology, and Logistics\n           and the Chief Information Officer shall provide policy and oversee the execution\n           of the program. The Program Management Office will develop a DoD-wide\n           blue print, an enterprise architecture, which prescribes how DoD financial and\n\n2\n    Version 3, June 2001.\n                                               2\n\x0c     non-financial feeder systems will interact. The DoD Components shall be\n     accountable to the Secretary of Defense for the results of their business\n     operations and their financial management systems\n\n     Financial Management Modernization Executive Committee. On\n     October 2, 2001, the Federal bill, S.1438 as passed by the Senate, authorized\n     appropriations for military activities for FY 2002. The S.1438 section 1007\n     mandated the establishment of a Financial Management Modernization\n     Executive Committee to establish a financial and feeder systems compliance\n     process. Subsequently, on October 12, 2001, the USD (C) issued a\n     memorandum formally establishing the Financial Management Modernization\n     Executive Committee as specified in the July 19, 2001, Secretary of Defense\n     memorandum. The Financial Management Modernization Executive Committee\n     charter supercedes the Senior Financial Management Oversight Council charter.\n\n     On December 28, 2001, Federal Bill S.1438 was signed into law as the National\n     Defense Authorization Act for FY 2002. The National Defense Authorization\n     Act for FY 2002 mandates that DoD establish the Financial Management\n     Modernization Executive Committee. This committee shall establish a financial\n     and feeder systems compliance process (Authorization Act Compliance\n     Process). Additionally, this committee should develop, monitor, and supervise\n     a management plan for implementing the Authorization Act Compliance\n     Process. In addition, this committee must ensure the development and\n     maintenance of a DoD enterprise architecture in conjunction with the\n     compliance process efforts. This committee will be accountable to the Senior\n     Executive Council that includes, among others, the Secretary and Deputy\n     Secretary of Defense.\n\n     Financial Management Improvement Plan. In January 2001, the USD (C)\n     issued the FMIP to meet the requirements of the National Defense Authorization\n     Act for FY 1998. The FMIP identifies DoD critical financial systems and\n     initiatives intended to improve the financial data provided by critical feeder\n     systems, such as, the DoD Compliance Process. The DoD owns one critical\n     system initiative reported in the FMIP. The Army, Navy, Air Force, DFAS,\n     Defense Logistics Agency (DLA), and Other Defense Organizations (ODO) own\n     24, 34, 46, 57, 9, and 16 systems and initiatives reported in the FMIP,\n     respectively. According to the FMIP, it will cost approximately $3.7 billion to\n     make the critical systems compliant by 2003.\n\nObjectives\n     Our overall objective was to determine the effectiveness of the DoD Financial\n     and Feeder Systems Compliance Process to address compliance with applicable\n     Federal financial management systems requirements. Specifically, the objective\n     was to determine whether the DoD Financial and Feeder Systems Compliance\n     Process would achieve compliance of both individual and integrated systems.\n     See Appendix A for a discussion of the audit scope and methodology and prior\n     coverage related to the audit objectives.\n\n                                        3\n\x0c          Status of the DoD Financial and Feeder\n          Systems Compliance Process\n          The DoD Financial and Feeder Systems Compliance Process had not\n          been fully implemented throughout DoD. The Air Force and the DFAS\n          had completed substantial work in implementing their own\n          Year 2000-like compliance processes. However, the Army, Navy,\n          Air Force, DFAS, DLA, and 12 ODOs needed to do more work toward\n          implementing the DoD Compliance Process. This occurred because the\n          USD (C):\n\n                 l   had not addressed other initiatives that logically should be\n                     completed prior to the successful implementation of a\n                     compliance process,\n\n                 l   did not have sufficient authority over DoD Components to\n                     effectively implement a compliance process,\n\n                 l   did not have the mechanisms in place to adequately monitor a\n                     compliance process implementation, and\n\n                 l   had not established sufficient guidance to ensure adequate\n                     reviews of financial management systems are performed.\n\n          Additionally, some DoD Components had shown a lack of initiative in\n          implementing the DoD Financial and Feeder Systems Compliance\n          Process. As a result, progress toward attaining compliance with Federal\n          and DoD financial management systems requirements had been slow,\n          although new legislation and DoD initiatives are intended to provide\n          more effective management oversight in the future.\n\nNational Defense Authorization Act for FY 2002\n    The enactment of the National Defense Authorization Act for FY 2002\n    establishes a DoD financial and feeder systems compliance process\n    (Authorization Act Compliance Process) as law and will supercede the prior\n    DoD Compliance Process. This report focuses on the issues identified during\n    our audit of the DoD Compliance Process. Those issues should be addressed in\n    the development and implementation of the Authorization Act Compliance\n    Process.\n\nDoD Compliance Process Status\n    The DoD Compliance Process had not been implemented throughout DoD. In\n    January 2001, DoD identified 187 critical systems and initiatives. DoD\n\n\n                                       4\n\x0cestimated that it will cost approximately $3.7 billion to correct system\ndeficiencies and result in systems compliant with Federal financial management\nsystems requirements. The Army, Navy, Air Force, DFAS, and DLA:\n\n        l   had started but had not completed data mapping, and\n        l   had not completed a critical inventory list.\n\nThe Army, Navy, Air Force, and DFAS had issued guidance. Data mapping, a\ncomplete critical inventory list, and guidance are key to the successful\nimplementation of a compliance process. The USD (C), GAO, and Inspector\nGeneral, DoD, consider data mapping to be an important step in a compliance\nprocess. Although data mapping is not a specific exit criteria, it is the logical\nstarting place to verify that a complete critical inventory list can be identified.\nData mapping is documenting the flow of financial information from point of\noriginal entry to eventual reporting on the financial statements. Data mapping\nshould be completed early in the DoD Compliance Process to verify that all\ncritical and non-critical systems involved in the flow of data from transaction\norigination to presentation on the financial statements can be identified. Data\nmapping also helps verify that DoD Components have appropriately identified\nand considered sources of financial information and their impact on overall data\naccuracy. Following the completion of data mapping, a DoD Component will\nbe able to establish a complete critical inventory list, the first exit criteria in the\nAwareness phase. Additionally, DoD Components that issued guidance had\nprogressed further in implementing a compliance process than those DoD\nComponents that have not.\n\nThe Navy, Air Force, and DFAS had independently established their own\nYear 2000-like processes for determining compliance with Federal financial\nmanagement system requirements prior to the development of the DoD\nCompliance Process. The Air Force and DFAS had completed substantial work\nin implementing their respective Year 2000-like compliance processes.\nHowever, the Army, Navy, Air Force, DFAS, DLA, and the 12 ODOs\ncontacted needed to do more work toward implementing the DoD Compliance\nProcess because none of those DoD Components have completed data mapping\nor a critical inventory list.\n\nDoD Component status and key measures of success for implementing a\ncompliance process are presented in the table below.\n\n\n                         Compliance Process Measures\n\n                                      Air\n Key Measures                        Force   DFAS    Army      Navy     DLA\n Started data mapping systems         Yes     Yes     Yes      Yes      Yes\n Completed data mapping systems       No      No      No        No       No\n Completed critical inventory list    No      No      No        No       No\n Issued guidance                      Yes     Yes     Yes      Yes       No\n\n\n\n                                        5\n\x0c        Air Force. Air Force completed substantial work in implementing its\n        Year 2000-like compliance process prior to the development of the DoD\n        Compliance Process. The Air Force reported its critical inventory list to include\n        23 legacy, 21 ongoing, and 6 systems under development. However, the\n        Air Force did not complete data mapping. Until Air Force has completed data\n        mapping, the critical systems list may not be all-inclusive.\n\n        The Air Force issued guidance for achieving system compliance with Federal\n        financial management system requirements and established individual milestones\n        for its systems with the overall milestone of September 2003. The Air Force\n        categorized each system into one of five Air Force phases. The five Air Force\n        phases are awareness, evaluation, renovation, validation, and compliance. The\n        Air Force process varies from DoD because the Air Force does not certify\n        substantial compliance of a system until successful completion of a validation\n        audit. The DoD Compliance Process requires certification of the system prior\n        to the request for validation. The Air Force should coordinate with the\n        OUSD (C) to address the differences in the two processes to avoid confusion\n        regarding which process they are referring to.\n\n        The Air Force progress to achieve compliance can be partially attributed to the\n        implementation of a team to oversee their process, Air Force Audit Agency or\n        contractor3 assistance, a reporting tool to track systems progress, and briefings\n        keeping management informed. The Air Force is using the Blue Book as\n        guidance to determine compliance with the Federal financial management\n        systems requirements and supplemented the Blue Book with specific\n        requirements for system controls. The Air Force also established a web-based\n        encyclopedia containing system information that includes interfaces, feeder\n        systems, migration paths, and infrastructure. The Air Force is reporting\n        three systems in its validation phase. Air Force Audit Agency is performing\n        two of the validation audits and has contracted out the third.\n\n        Defense Finance and Accounting Service. DFAS completed substantial work\n        in implementing its own Year 2000-like process prior to the development of the\n        DoD Compliance Process. DFAS is responsible for the compliance of\n        20 DFAS systems and jointly responsible for 3 other systems within DoD.\n        However, DFAS did not complete data mapping. Until DFAS has completed\n        data mapping, the critical systems list may not be all-inclusive.\n\n        In July 1998, DFAS developed guidance to determine compliance of its critical\n        systems with Federal financial management system requirements. The DFAS\n        process evolved into five phases and was commonly referred to as the DFAS\n        Compliance Assessment Methodology. The five DFAS phases were awareness,\n        evaluation, renovation, validation, and compliance. In May 2001, DFAS\n        formally established the Systems Compliance Review Board Charter to review\n\n\n\n3\nThe Air Force contracted with Grant Thornton and Associates to map its feeder systems to its general\nfund balance sheet line items. The Air Force also contracted with Logicon to assist in the identification\nof its financial systems inventory.\n                                                    6\n\x0c           systems compliance and recommend certification to the DFAS Director. Within\n           the charter, DFAS included an outline of the revised DFAS Compliance Process\n           that was updated to be in alignment with the DoD Compliance Process.\n\n           The DFAS progress to achieve compliance can be partially attributed to the use\n           of a spreadsheet to track its systems status, checkpoints4, points of contact, and\n           milestones for each system. The DFAS Test Integration Data Repository\n           maintains requirement profiles, test scripts and results, data collection plans,\n           and is accessible via the World Wide Web. Additionally, DFAS contracted with\n           KPMG Consulting and Arthur Andersen LLP to provide assistance in\n           performing compliance assessments. Management is also provided monthly\n           briefings on DFAS system efforts. As of May 2001, the DFAS Director issued\n           a memorandum to the Council certifying that one system, Defense Industrial\n           Financial Management System, is compliant. DFAS set an overall milestone\n           of FY 2003 for its systems to be certified compliant.\n\n           Army. The Army did not independently establish a Year 2000-like process for\n           achieving compliance with Federal financial management systems requirements.\n           The Army initiated data mapping and compiled a list of critical systems for\n           submission to the FMIP. However, Army personnel stated that mapping efforts\n           were halted because the process was considered time consuming and would\n           require an extensive use of resources. Until the Army has completed data\n           mapping, the critical inventory list may not be all-inclusive.\n\n           On May 17, 2001, the Army Audit Agency and the Office of the Deputy\n           Assistant Secretary of the Army (Financial Operations) entered into a\n           memorandum of agreement defining their responsibilities for each phase of the\n           DoD Compliance Process. On June 21, 2001, the Army issued memorandums\n           to its components to provide awareness of the DoD Compliance Process and to\n           identify 13 of its critical systems. The memorandums also identified the Army\n           Audit Agency as the independent validation provider. The Chief Information\n           Officer Executive Board was identified as the senior body to address Army-wide\n           compliance issues. Army personnel reported that the Corps of Engineers\n           Financial Management System was ready for validation.\n\n           Navy. The Navy established a Year 2000-like process that incorporates several\n           initiatives to include:\n\n                    l   Office of Secretary of Defense Implementation Strategies,\n\n                    l   business process reengineering, and\n\n                    l   compliance with Federal financial management systems\n                        requirements.\n\n           The Navy plans to transition this process to coincide with the DoD Compliance\n           Process but did not provide a milestone for this transition. The Navy\n\n4\n    Checkpoints outline the DFAS compliance assessment process and are steps to be completed that identify\n    the responsible organization, associated deliverables, and recipients of those deliverables.\n                                                     7\n\x0cestablished 13 non-financial feeder teams, including representatives from\nvarious audit agencies, 11 of which were aligned with the Office of Secretary of\nDefense Implementation Strategies. The 13 non-financial feeder teams were\nestablished to review Navy business practices and streamline those processes\nand to achieve compliance with Federal financial management systems\nrequirements. We were unable to determine the success of those efforts to\nachieve compliance with Federal financial management systems requirements.\nOn February 14, 2001, the Navy issued a memorandum to establish an\nawareness of the DoD Compliance Process. On February 23, 2001, the Navy\nalso issued a memorandum requesting a complete systems inventory by each\nmajor command. According to Navy personnel, this effort has been\nsubstantially completed. The Navy did not report that any systems were ready\nfor validation.\n\nDefense Logistics Agency. In January 2001, DLA issued a memorandum\nproposing a strategy to implement the DoD Compliance Process. However, no\nDLA implementation guidance had been issued. DLA did not complete data\nmapping or its critical inventory list. DLA personnel stated that a critical\ninventory list was submitted for the FMIP. However, the list did not include\nsystems that would be critical according to the DoD Compliance Process. DLA\nis working with their contractor, Deloitte and Touche, to identify critical\nfinancial and feeder systems but is focusing its efforts on the business system\nmodernization initiative. This initiative will replace many existing DLA\nsystems and is intended to correct financial management deficiencies that exist\nwithin its business area. DLA did not report any systems ready for validation.\n\nOther Defense Organizations. The sample of nine ODOs outside the DoD\nIntelligence community and three inside the DoD Intelligence community have\nmade minimal progress in implementing the DoD Compliance Process. We\ncontacted nine ODOs, outside of the DoD Intelligence community, to determine\nwhether they were aware of the DoD Compliance Process. Five ODOs had\nDoD imposed reporting requirements, and seven ODOs list systems ownership\nin the FMIP. Of the personnel contacted from the nine ODOs, four were not\naware of the DoD Compliance Process, and five stated that their agency was\naware of the memo, but only one stated that the memo had been implemented.\nFor details of the specific ODOs, see Appendix C of this report.\n\nAdditionally, we contacted three ODOs within the DoD Intelligence community.\nTwo of those DoD Intelligence agencies list ownership of one critical system in\nthe FMIP. Personnel from the National Imagery and Mapping Agency, which\nreports ownership of one critical system in the FMIP, were not aware of the\nDoD Compliance Process. The two additional DoD Intelligence agencies need\nto do more work toward implementing the DoD Compliance Process.\nHowever, we do not discuss details of the results of these two DoD Intelligence\nagencies because the information is classified.\n\n\n\n\n                                    8\n\x0cDoD Compliance Process Issues\n       DoD acknowledges that flaws still exist within its financial management\n       framework. Although the implementation of a compliance process should\n       resolve some of those problems, the success of the DoD Compliance Process\n       had been affected by other factors. Specifically, the USD (C):\n\n               l   had not addressed other initiatives that logically should be completed\n                   prior to the successful implementation of a compliance process,\n               l   did not have sufficient authority over DoD Components to effectively\n                   implement a compliance process,\n\n               l   did not have the mechanisms in place to adequately monitor a\n                   compliance process implementation, and\n\n               l   had not established sufficient guidance to ensure adequate reviews of\n                   financial management systems are performed.\n\n       Other Initiatives. The January 5, 2001, memorandum acknowledges that DoD\n       Components must execute the DoD Compliance Process in concert with other\n       initiatives. However, some of those initiatives logically precede the effective\n       implementation of a compliance process and include systems integration and\n       standardization efforts and the DoD-wide enterprise architecture.\n\n               Friedman Report. The Secretary of Defense contracted with the\n       Institute for Defense Analyses to conduct a study and recommend a strategy for\n       financial improvements within DoD. The study resulted in the report\n       \xe2\x80\x9cTransforming Department of Defense Financial Management, a Strategy for\n       Change,\xe2\x80\x9d April 13, 2001, also known as the Friedman Report. The report\n       indicated that many positive projects are underway within DoD. However,\n       those projects are narrow in focus, have insufficient leadership, and are not part\n       of an overall integrated DoD-wide strategy. The report recommended a\n       structural change within the DoD financial framework by developing standard\n       integrated systems and mandating the standardization of finance, accounting and\n       feeder systems. The July 19, 2001, Secretary of Defense memorandum; the\n       October 12, 2001, USD (C) memorandum; and the National Defense\n       Authorization Act for FY 2002 have addressed some of the Friedman report\n       recommendations.\n\n               Enterprise Architecture. GAO reported5 that DoD does not have a\n       DoD-wide financial management enterprise architecture. An enterprise\n       architecture provides an operational and technological view of an organization\xe2\x80\x99s\n       current and targeted environment. The enterprise architecture also provides a\n       roadmap between the two environments. GAO recommended that DoD\n       immediately designate DoD financial management modernization as a\n5\nGAO Report 01-525, Information Technology, Architecture Needed to Guide Modernization of DOD\xe2\x80\x99s\nFinancial Operations, May 17, 2001.\n                                              9\n\x0c       departmental priority and implement an enterprise architecture. On\n       June 27, 2001, DoD requested $100 million for development of a DoD-wide\n       management systems enterprise architecture. On July 19, 2001, the Secretary of\n       Defense established the DoD Financial Management Modernization Program to\n       develop a DoD-wide blue print (an enterprise architecture) that prescribes how\n       DoD financial and non-financial feeder systems will interact. Subsequently, on\n       October 12, 2001, the USD (C) issued a memorandum establishing the Financial\n       Management Modernization Executive Committee as the advisory body to the\n       USD (C) for financial management modernization. Additionally, on\n       November 29, 2001, a Request for Quotations was issued for the development\n       of a DoD-wide Financial Management Enterprise Architecture for the\n       OUSD (C).\n\n       Direct Authority. The USD (C) did not have sufficient authority to effectively\n       implement the DoD Compliance Process. GAO reported6 that DoD Components\n       have been directed to follow USD (C) guidance. However, USD (C), as the\n       Council Chair, lacked authority over the DoD Component feeder systems.\n       Three later actions, the July 19, 2001, Secretary of Defense memorandum; the\n       October 12, 2001, USD (C) memorandum; and the National Defense\n       Authorization Act for FY 2002 have largely addressed GAO concerns.\n\n       The July 19, 2001, the Secretary of Defense memorandum established the DoD\n       Financial Management Modernization Program, giving the USD (C)\n       responsibility for the overall direction of financial management reform within\n       DoD. Additionally, the memorandum established a Program Management\n       Office that shall report to the USD (C). The memorandum also states that DoD\n       Components will be accountable to the Secretary of Defense for the results of\n       their business operations and their financial management systems. On\n       October 2, 2001, the Senate passed, the Federal Bill, S.1438 mandating the\n       establishment of the Financial Management Modernization Executive Committee\n       with the USD (C) as its chair. The Committee will be accountable to the Senior\n       Executive Council that includes the Secretary and Deputy Secretary of Defense.\n       The Committee\xe2\x80\x99s accountability to the Senior Executive Council should also\n       alleviate most of the GAO concerns on the USD (C) lack of authority over DoD\n       Components. Anticipating that the Senate provision would become law, the\n       USD (C) issued the October 12, 2001, memorandum formally establishing the\n       Committee and superceding the Council. On December 28, 2001, the Federal\n       Bill, S.1438 was signed into law as the National Defense Authorization Act for\n       FY 2002. However, establishing the Authorization Act Compliance Process in\n       a DoD issuance should also provide the authority necessary for implementation.\n\n       Monitoring a Compliance Process. USD (C) did not have the mechanisms in\n       place to adequately monitor the implementation of a compliance process.\n       Specifically, the USD (C) had not implemented a systems database, and DoD\n       Components have requested information on its status to track other systems not\n\n\n\n6\nGAO Report 01-525, Information Technology, \xe2\x80\x9cArchitecture Needed to Guide Modernization of DOD\xe2\x80\x99s\nFinancial Operations,\xe2\x80\x9d May 17, 2001.\n                                              10\n\x0cwithin their purview. The USD (C) had also not defined the appropriate\nlanguage for a DoD Component to certify system compliance and verify\nconsistency in the scope of a system certification.\n\n        Systems Database. USD (C) personnel stated that a data call will be\nrequested from DoD Components to populate a system database with\ninformation such as system status, milestones, interfaces, and funding. The\ndatabase is intended to blend information reporting requirements and track\nsystems in their progress. Until the system database is populated, the USD (C)\nwill not be able to monitor and control systems progressing through each of the\nfive phases.\n\nDoD Components also remain unaware of the compliance status for systems not\nin their purview, but affecting their business area. For example, the Standard\nProcurement System and the Defense Travel System will impact the compliance\nof other DoD Component business areas. However, the compliance status of\nthose systems is unknown to some DoD Components. Overall, compliance for a\nbusiness area cannot be determined until all systems composing the business\narea are compliant. Once the systems database is available, DoD Components\nshould have access to the compliance status of other DoD systems that affect\ntheir business areas.\n\n        Certification. The USD (C) had not defined appropriate language for a\nsystem certification to be submitted as part of the Renovation phase exit criteria.\nThe DoD Compliance Process goal is to ensure that financial and feeder systems\n(both from a single systems and integrated systems perspectives) comply with\nFederal financial management systems requirements. However, the DoD\nCompliance Process Renovation phase requires DoD Components to certify that\ntheir systems comply with all identified requirements based on the latest edition\nof the Blue Book. Although the Blue Book is an extensive compilation of\nrequirements, it does not necessarily include all Federal requirements. DoD\nComponents should use the Blue Book as a tool in determining compliance, but\nare also responsible for knowing all laws and regulations applicable to their\nsystems, which may not be included in the Blue Book. Therefore, DoD\nComponents should certify compliance based on the applicable requirements\nidentified in the latest edition of the Blue Book and other relevant requirements\nas necessary. Also, certification of the application system alone does not\nconsider erroneous data streams from feeder systems, or systems controls\nexternal to the application. Without standardized language identifying the scope\nof the certification, DoD Components may certify that the application software\nis compliant as a stand-alone system and not in an installed or integrated\nenvironment.\n\nSufficiency of Guidance. The USD (C) had not established adequate guidance\nfor defining what constitutes a critical system. In addition, the Blue Book does\nnot reference sufficient criteria to ensure an adequate financial management\nsystem review is performed. Also, the DoD Compliance Process incorrectly\nlinks compliance with Federal financial management systems requirements to\nJFMIP approved software. Adequate guidance should be provided for the DoD\nCompliance Process to be successful.\n                                    11\n\x0c         Critical Definition. The DoD Compliance Process definition of a\ncritical financial management system remains unclear. The DoD Compliance\nProcess conceptually defines a critical financial management system as\nproviding information that is materially important to entity-wide financial\nmanagement, control and reporting. Criticality is based on the concept that a\nsystem provides information that is important in producing reliable financial\nreports, ensuring that the DoD missions are met, or assisting decision makers.\nThe DoD Compliance Process states that ascertaining the criticality of a system\nis somewhat judgmental; therefore, it provides a materiality definition. For a\nfinancial statement line item that is greater than, or equal to, 3 percent of total\nentity assets, the reporting entity shall deem critical any system that is the\nsource of values equal to, or greater than, 10 percent of the total amount\nreported on the applicable financial statement line item. This materiality\ndefinition is to be used as a mechanism for determining criticality by quantifying\ncritical systems to achieve consistency. When defining the criticality of a\nsystem, there is an uncertainty as to the use of the conceptual or the materiality\ndefinition.\n\nThe DoD Compliance Process states that the DoD Components shall use the\nmateriality definition. However, the Army, Navy, and Air Force stated that not\nall systems on their critical systems list would be considered critical according\nto the materiality definition. For example, a system may be considered critical\naccording to the materiality definition. However, a system that provides data to\nthe critical system may not meet the materiality definition. Using the materiality\ndefinition to determine criticality, DoD Components may fail to identify systems\nthat could impact the accuracy and reliability of data reported on the financial\nstatements. Therefore, systems not deemed critical according to the materiality\nguidance may not be subjected to the DoD Compliance Process. Subsequently,\nOUSD (C) personnel stated that based on the outcome of the DoD enterprise\narchitecture efforts, any system providing data to the financial statements should\nbe mapped and considered reportable. OUSD (C) should meet collectively with\nDoD Components to clarify the critical definition issues that continue throughout\nthe DoD.\n\n        Blue Book. The DoD Compliance Process states that the Blue Book\nshall be the primary guidance that a system is evaluated against prior to entering\nthe next phase. Although we did not perform a complete assessment of the Blue\nBook, we did determine that it lacks sufficient guidance to ensure compliance in\nthe areas of data standardization and general controls. A DoD Component that\ncertifies compliance using the Blue Book requirements may not have performed\na sufficient review to determine whether its systems substantially meets the\napplicable requirements.\n\n                Data standardization. The Blue Book does not adequately\nreference sufficient guidance to ensure data standardization requirements will be\nassessed for DoD financial management systems. OMB Circular A-127 requires\nthat each agency establish and maintain a single, integrated financial\nmanagement system. For a system to be integrated, it must provide standard\ndata classifications (definitions and formats) and common processes used for\nsimilar transactions. An integrated system must also provide a design that\n                                    12\n\x0c           eliminates unnecessary duplication of transaction entry. DoD systems often\n           require duplicative reentry, crosswalks, and manual workarounds. Although the\n           Blue Book cites OMB Circular A-127, it is not likely that system owners will\n           perform a sufficient review unless more definitive requirements are detailed in\n           the Blue Book. The Blue Book should clearly define standard data\n           classifications, common processes, and unnecessary duplication to ensure that\n           system owners comply with the requirements. The DoD requested $100 million\n           of FY 2002 funds for the USD (C) to develop an enterprise architecture and\n           define standard data requirements. DFAS should update the Blue Book to\n           reference those standards, once the USD (C) approves the standard data\n           requirements.\n\n                          General Controls. The Blue Book lacks sufficient and\n           comprehensive coverage of general controls. General controls are management\n           controls that apply to the overall computer operations of an agency. Examples\n           of general controls include, but are not limited to:\n                   l    establishing an overall security program,\n                   l    implementing procedures for changing software,\n                   l    separating duties that could allow unauthorized activity, and\n                   l    establishing controls to monitor use of software.\n\n           Some of those controls are referenced in OMB Circular A-130 and DoD\n           Instruction 5200.407. Although the Blue Book cites guidance for some general\n           controls, the guidance is minimal and may not ensure that those controls are\n           operating effectively and ensuring the reliability of data. The Blue Book should\n           provide coverage of general controls to ensure that system owners perform a\n           sufficient review and reference the applicable Federal and DoD requirements.\n           In addition, some general controls are not under the purview of system owners\n           and will require coordination among the DoD Components and OUSD (C). The\n           USD (C) is aware of those deficiencies, and DFAS plans to incorporate\n           additional general controls in the next version of the Blue Book. However,\n           because the USD (C) lacked the authority to effectively implement the DoD\n           Compliance Process, DoD Components may still not perform a thorough\n           review.\n\n                    Compliance of JFMIP Certified Software. The JFMIP publishes the\n           Core Financial System Requirements (core requirements) that serve as the basis\n           to test commercial financial software. The DoD Compliance Process states that\n           any system that is JFMIP approved may be placed in the Compliance phase.\n           However, JFMIP personnel stated that approved commercial software does not\n           ensure compliance because JFMIP core requirements do not cover all Federal\n           financial management systems requirements that may be applicable to a system.\n           A DoD Component purchasing commercial software with inventory, property or\n           travel functions must meet additional requirements, which are not covered in the\n           JFMIP core requirements testing. JFMIP also tests commercial software\n           capabilities in an ideal environment and does not test how the commercial\n           software is installed. For example, an agency may install a JFMIP approved\n\n7\n    DoD Information Technology Security Certification and Accreditation Process, December 30, 1997.\n                                                   13\n\x0c    system with U.S. Standard General Ledger capability, but may not set up the\n    general ledger in compliance with the U.S. Standard General Ledger. In\n    addition, JFMIP will test a system\xe2\x80\x99s capability to interface correctly with\n    another system; however, once installed, the interface may not be in\n    compliance. As a result, DoD may incorrectly certify JFMIP approved systems\n    as compliant with Federal financial management systems requirements. DoD\n    should modify its guidance to ensure that JFMIP approved systems are installed\n    correctly and compliance with requirements is adequately documented. This\n    modification should ensure compliance with applicable Federal financial\n    management system requirements not covered during JFMIP testing. Until DoD\n    modifies its guidance, DoD should not report JFMIP approved software as\n    compliant.\n\nConclusion\n    This report identifies DoD Compliance Process issues that should be addressed\n    in the development and implementation of the Authorization Act Compliance\n    Process. The DoD Compliance Process goal is to achieve reliable financial\n    management information to DoD decision makers in a timely manner and ensure\n    compliance with applicable Federal financial management systems requirements.\n    However, the USD (C) did not have sufficient authority and should consider\n    preparing a DoD issuance to ensure that DoD Components implement the DoD\n    Compliance Process. The DoD is also addressing a conglomeration of issues\n    that will affect the DoD Compliance Process; therefore, the DoD Compliance\n    Process should proceed systematically. Once those initiatives are addressed, the\n    DoD Compliance Process can be reevaluated and restructured to be in alignment\n    with the outcome. In addition, the USD (C) should implement the mechanisms\n    necessary to monitor DoD Components\xe2\x80\x99 progress and should reevaluate the\n    guidance to ensure an adequate review of financial management systems.\n\nRecommendations, Management Comments, and Audit\nResponse\n    A. We recommend that the Under Secretary of Defense (Comptroller):\n\n           1. Institutionalize the Authorization Act Compliance Process in an\n    appropriate DoD issuance in order to provide the Under Secretary of\n    Defense (Comptroller) explicit authority to ensure that the Military\n    Departments and Defense agencies effectively implement the legislative\n    provisions.\n\n    Management Comments. The Acting Deputy Chief Financial Officer, Office\n    of the Under Secretary of Defense (Comptroller) concurred and will incorporate\n    this recommendation into the revised compliance process upon completion of\n    their enterprise architecture efforts. The Acting Deputy also stated that, through\n    the use of an independent contractor, it is developing a financial management\n    enterprise architecture that will serve as the DoD blueprint for effective\n    financial management reform. Because the scope of the enterprise architecture\n                                          14\n\x0cdevelopment is agency-wide, he believes the lessons learned from the\ndevelopment effort will be substantial. Furthermore, the benefits resulting from\nthe enterprise architecture lessons learned justifies a delay in revising the current\ncompliance process. The development of the enterprise architecture is expected\nto be completed by February 2003.\n\n       2. Implement a systems database to monitor the progress of the\nMilitary Departments and Defense agencies and ensure that the Military\nDepartments and Defense agencies have access to system information not in\ntheir purview.\n\nManagement Comments. The Acting Deputy concurred and stated that during\nthe initial stages of creating the financial management enterprise architecture,\nthe contractor will develop a data repository containing an inventory of financial\nmanagement systems, feeder systems, commercial systems, and their respective\ninterfaces through their enterprise architecture efforts. This data repository will\nbe used for future DoD financial management systems compliance efforts.\n\n       3. Establish the language and scope for systems to certify\ncompliance based on the applicable requirements identified in the latest\nedition of the Defense Finance and Accounting Service, \xe2\x80\x9cA Guide to Federal\nRequirements for Financial Management Systems\xe2\x80\x9d and other relevant\nrequirements.\n\nManagement Comments. The Acting Deputy concurred and will require\nsystem owners to certify compliance with \xe2\x80\x9call Federal and DoD requirements\nthat may be relevant to a particular financial management system\xe2\x80\x9d as part of the\nrevised compliance process. The revised compliance process will also specify\nthat a system owner must consider external data flows and interfaces when\ncertifying compliance.\n\n      4. Provide a clear definition of a critical financial management\nsystem.\n\nManagement Comments. The Acting Deputy partially concurred and stated\nthat defining criticality is the responsibility of the Office of Management and\nBudget. However, the Under Secretary of Defense (Comptroller) will work\nwith the Office of Management and Budget to develop a more concise definition\nof critical. This definition of critical will be included in the revised compliance\nprocess.\n\nAudit Response. Although the Acting Deputy partially concurred with the\nrecommendation, their proposed actions satisfy the intent of the\nrecommendation. No further comments are required.\n\n       5. Establish guidance to ensure Joint Financial Management\nImprovement Program approved systems are installed correctly and are\nadequately documented to comply with applicable Federal and DoD\nrequirements.\n\n                                     15\n\x0cManagement Comments. The Acting Deptuy concurred and will issue\ncommercial off-the-shelf software implementation guidance after the completion\nof the enterprise architecture efforts. The commercial off-the-shelf software\nguidance will include software approved by the Joint Financial Management\nImprovement Program.\n\nB. We recommend that the Director, Defense Finance and Accounting\nService amend the Defense Finance and Accounting Service, \xe2\x80\x9cA Guide to\nFederal Requirements for Financial Management Systems\xe2\x80\x9d to include\ndetailed coverage of data standardization and general controls.\n\nManagement Comments. The Director of Systems Integration, Defense\nFinance and Accounting Service, stated that version four of the Defense Finance\nand Accounting Service, \xe2\x80\x9cA Guide to Federal Requirements for Financial\nManagement Systems\xe2\x80\x9d (Blue Book) will reference the DoD Data Dictionary\nSystem. In addition, future versions of the Blue Book will include approved\ndata standards developed through the Under Secretary of Defense (Comptroller)\nenterprise architecture effort. The Defense Finance and Accounting Service\nplans to add additional references to automated systems general controls to\nversion four of the Blue Book. Additionally, the Defense Finance and\nAccounting Service is considering developing a supplemental general control\nguide for the Blue Book.\n\n\n\n\n                                  16\n\x0cAppendix A. Audit Process\n\nScope\n    Work performed. We evaluated the DoD Compliance Process, established in\n    the USD (C) January 5, 2001, memorandum and reviewed its effectiveness of\n    achieving compliance with Federal financial management system requirements.\n    We reviewed OMB, JFMIP, DoD, and other requirements as applicable to the\n    DoD Compliance Process. We conducted a limited review of the Blue Book\n    version 3, June 2001, to identify specific areas where the coverage of Federal\n    financial management system requirements may be insufficient. However, we\n    did not perform a complete assessment of Blue Book coverage of Federal\n    financial management system requirements.\n\n    We interviewed personnel from the OUSD (C), Business Policy Directorate on\n    the status of work performed for the DoD Compliance Process and other DoD\n    financial management initiatives. We also interviewed personnel from the\n    Office of the Assistant Secretary of the Army (Financial Management) and the\n    Army Audit Agency and obtained information on data mapping and guidance.\n    We obtained documentation on Army\xe2\x80\x99s preliminary critical inventory list. We\n    met with personnel from the Office of Assistant Secretary of the Navy\n    (Financial Management) and the Naval Audit Service and obtained\n    documentation on their guidance and process. In addition, we obtained\n    information on the status of data mapping, critical inventory list compilation,\n    and the implementation of the DoD Compliance Process.\n\n    We interviewed personnel from the Office of Assistant Secretary of the\n    Air Force (Financial Management) and the Air Force Audit Agency. We\n    obtained documentation on guidance, data mapping, an inventory list that\n    included 50 systems, the status of individual systems, and the Air Force\n    compliance process. We interviewed personnel from the DFAS, Systems\n    Integration Directorate and obtained documentation on critical inventory lists\n    which included 23 systems, the DFAS process, and guidance. In addition, we\n    obtained information on data mapping. We interviewed DLA personnel and\n    obtained documentation on the proposed strategies and information on the\n    current status of their implementation of the DoD Compliance Process.\n\n    We selected a sample of 12 ODOs based on DoD reporting requirements,\n    ownership of critical systems per the FMIP, and auditor judgment. We\n    conducted telephone and e-mail correspondence with a selection of ODOs\n    regarding their awareness and whether they had initiated implementation of the\n    DoD Compliance Process. Three DoD Intelligence Agencies were included\n    among our sample of 12 ODOs. Two agencies were not included in the report\n    because the information was classified. For a list of the ODOs outside the DoD\n    Intelligence community contacted, see Appendix C.\n\n    Limitations to Scope. We did not review the management control program\n    related to the overall audit objective because DoD recognized that the\n                                          17\n\x0c    categorization of its financial management systems was a systemic control\n    weakness in the FY 2000 Annual Statement of Assurance. The FY 2000 DoD\n    Statement of Assurance stated the cause of this problem is that DoD accounting,\n    finance, and feeder systems do not fully comply with Federal financial\n    management systems requirements.\n\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in the DoD. This report provides coverage\n    of the Defense Financial Management high-risk area.\n\nMethodology\n    Use of Computer Processed Data. We did not rely on computer-processed\n    data to perform this audit.\n\n    Audit Type, Dates, and Standards. We performed this financial-related audit\n    from March 2001 through November 2001 in accordance with generally\n    accepted government auditing standards.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DoD, OMB, and JFMIP. Further details are available\n    upon request.\n\nPrior Coverage\n    The General Accounting Office and the Inspector General, DoD, have\n    conducted multiple reviews relating to compliance with Federal financial\n    management requirements. Unrestricted General Accounting Office reports can\n    be accessed on the Internet at http://www.gao.gov. Unrestricted\n    Inspector General, DoD, reports can be accessed on the Internet at\n    http://www.dodig.osd.mil/audits/reports.\n\n\n\n\n                                       18\n\x0cAppendix B. The DoD Compliance Process\n   The DoD Compliance Process provides guidance to ensure that critical\n   accounting, finance, and feeder systems are compliant with applicable Federal\n   financial management systems requirements. Details regarding the five phases\n   of the DoD Compliance Process and the applicable Blue Book exit criteria\n   follow below.\n\n   Awareness. The Awareness phase promotes acknowledgement and\n   participation in the DoD Compliance Process across DoD. A DoD Component\n   should map the flow of its financial information from point of original entry to\n   its presentation on the annual financial statements. To exit the Awareness\n   phase, a DoD Component must identify and prioritize critical accounting,\n   finance, and feeder systems and categorize each system by function in\n   accordance with the Blue Book.\n\n   Evaluation. The Evaluation phase requires the DoD Component to:\n\n          l   define the compliance problem(s),\n          l   decide the appropriate strategies to overcome the problem(s), and\n          l   establish a plan to apply the resources to ensure compliance.\n\n   To exit the Evaluation phase, a system owner must determine system\n   deficiencies according to the Blue Book and develop a corrective action and\n   funding plan to correct each deficiency.\n\n   Renovation. The Renovation phase implements the DoD Component corrective\n   action plans and conducts reviews necessary to bring non-compliant systems into\n   compliance. To exit the Renovation phase, the DoD Component shall certify\n   that the system(s) complies with all identified requirements according to the\n   Blue Book. The Council, after receiving certification that corrective actions\n   applicable to a system have been implemented, will request the Inspector\n   General, DoD, to validate the certification.\n\n   Validation. The Validation phase ensures that system problems are remedied\n   and that the system is compliant. Validations, in the form of audits or\n   acceptable reviews, will be conducted using a standard methodology\n   promulgated by the Inspector General, DoD. To exit the Validation phase, a\n   system owner shall obtain validation that the system complies with applicable\n   compliance factors according to the Blue Book from:\n          l   the Inspector General, DoD,\n          l   a public accounting or consulting firm, or\n          l   the respective Military Department audit agency.\n\n   Compliance. The DoD Compliance phase ensures that required documentation\n   is available and maintained for those systems, business areas, and reporting\n   entities that have been determined compliant.\n\n                                      19\n\x0c\x0c Appendix D. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology and Logistics\nUnder Secretary of Defense (Comptroller)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n\nDepartment of the Army\nAssistant Secretary of the Army (Financial Management and Comptroller)\nAuditor General, Department of the Army\n  Inspector General, Department of the Army\n\nDepartment of the Navy\nAssistant Secretary of the Navy (Financial Management and Comptroller)\nAssistant Secretary of the Navy (Manpower and Reserve Affairs)\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n  Inspector General, Department of the Air Force\n\n\n\n\n                                         21\n\x0cOther Defense Organizations\nDirector, Defense Advanced Research Projects Agency\nDirector, Defense Commissary Agency\nDirector, Defense Contract Management Agency\nDirector, Defense Finance and Accounting Service\nDirector, Defense Information Systems Agency\nDirector, Defense Logistics Agency\nDirector, Defense Security Cooperation Agency\nDirector, Defense Threat Reduction Agency\nDirector, DoD Human Resources Activity\nDirector, Missile Defense Agency\nDirector, National Imagery and Mapping Agency\nDirector, Washington Headquarters Service\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                         22\n\x0cUnder Secretary of Defense (Comptroller)\nComments\n\n\n\n\n                       23\n\x0c24\n\x0c25\n\x0c26\n\x0cDefense Finance and Accounting Service\nComments\n\n\n\n\n                      27\n\x0cAudit Team Members\nThe Finance and Accounting Directorate, Office of the Assistant Inspector General for\nAuditing, DoD, prepared this report. Personal of the Office of the Inspector General,\nDoD, who contributed to the report, are listed below.\n\nPaul J. Granetto\nKimberly A. Caprio\nKathryn M. Truex\nMichael Perkins\nJacqueline L. Wicecarver\nA. Dahnelle Alexander\nScott S. Brittingham\nMargaret R. Westfall\nClara Li\nStephen G. Wynne\n\x0c'